Legal Framework for Data Protection in Nigeria and Possible Implications for Security and The Economy

Author: Mr. Adedoyin Fadare

Honorary Board Member, Lexpert Assist


Data is an important asset an organisation can possess; with the rise of the data economy, establishments find enormous value in collecting, sharing and using data as harvesters. Transparency in how organisations request consent, abide by their privacy policy and managing the data collected is paramount. Similarly, privacy in this light, is the right of an individual to be free from uninvited surveillance, to safely exist in one’s space and freely express one’s opinion secretly. To this end, the vital connection in all of these is between the impacts of data on the economy and how to adequately protect this data.

The importance of data protection simply deals with the security of personal sensitive information of an individual who is the subject of the data protection; information relating to an individual, whether it relates to one’s private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, and post on social networking websites, medical information, or a computer’s Internet Protocol address.  The increasing demand for the protection of data can be attributed to the rise of the digital economy across the globe.


Nigeria has experienced exponential growth in terms of internet access and smartphone usage. Nigeria takes advantage of its enormous potentials with the use of affordable Information Communication Technologies.

It is interesting to point out that digital payments have surged in Nigeria, and a key trend is the emergence of mobile as a means of payment and consumption over the internet. E-wallet companies, various apps, online shopping, banking and travel sites complete the system. It is important to note that data subjects contribute immensely to this economy.

Correspondingly, digital technologies have changed the methods of business, buying, working and living in Nigeria. As digital technologies offer new ways to connect, collaborate, conduct business and build bridges between people, they touch the core of all business functions and even the ways organisations are managed. Digital communication has presented Nigeria with an opportunity to overcome the hindrances posed by deficiencies in its physical infrastructure and opened doors to new paradigms in all sectors of the economy. In 2018, the Nigerian Investment Promotion Commission estimated that the Nigerian digital economy should generate $88 billion and create three million jobs by the end of 2021.[1]


The question of how far Nigeria has realised this major concept in the 21st digital economy is important to ask.  It is essential to mention that one way it has leveraged on this is to have a legal framework to protect the data of its citizens. A review of the laws is analysed below:

  • Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as Amended) made provision for the protection and privacy of all citizens of Nigeria by stating that: “The privacy of citizens, their homes, correspondence, telephone conversation and telegraphic communications is hereby guaranteed and protected”
  • The Consumer Code of Practice Regulation (CCP) issued by the regulator of the Nigeria Communication Commission (NCC). The NCC’s Regulation provides that all licensees must take reasonable steps to protect customer information against improper or accidental disclosure, and must ensure that such information is securely stored. It also prohibits the transfer of customer’s information except as permitted or required by other applicable laws or regulations.
  • Registration of Telephone Subscribers Regulation (RTS) is another regulation issued by the NCC to combat data misuse in the country, it came into force in 2011. Like the CCP, it applies to all within the borders of Nigeria, regardless of country of citizenship. Section 9 provides a strict prohibition of unlawful sharing of data.
  • Cybercrime Act of 2015, which provides for “the retention and preservation of traffic data and subscriber information by service providers for 2 years.[2]
  • Child Rights Act protects the privacy of children under 18 years old[3]. This Act limits access to information relating to children under age 18.
  • The National Information Technology Development Agency (NITDA) Regulations. NITDA is the national authority responsible for planning, developing and promoting the use of information technology in Nigeria. It is empowered to “develop guidelines for electronic data interchange and other forms of electronic communication”.[4] In furtherance to this, the NITDA issued the guidelines on Data protection in 2019. It provides for its application; the data processing principles; the concept of consent; privacy policies; data security; third party contracts; data Subject rights; data transfers; transparency; appointment of a Protection Officer; privacy and data audit; and penalties.[5]


Like most developed countries, Nigeria seems to align itself with the fight against data breaches with the issuance of the NITDA guidelines, the implications of these are far-reaching. However, if there are no legal structures in place, what could be the implications?

There will consequently be large scale corporate data breaches and inappropriate use of personal data. Organisations will become indolent towards searching for interlopers who target corporate networks to steal client and customer data as well as insiders who already have access to the data and may use it for reckless or nefarious purposes. There could be a security breach or attack especially when the organisation harvests a large volume of data.

A lot of financial resources could be lost. The majority of cyber-attacks and identity theft concentrate on the money; this, in turn, ruptures the economy.

Just like every other human right, without adequate protection, it would be abused in its entirety.

These adverse consequences triggered by the lack of proper legal framework on data protection bother on human rights, the economy, and its security. The author cannot undermine the fact that data protection is a concept which has developed recently in Nigeria; he also acknowledges that the level of education and awareness of this concept in the country leaves much to be desired. However, he acknowledges that the most important is the protection of citizens through a legal framework to ensure that data does not get into the wrong hands, where this is so, there are countermeasures.

Organisations could also use these data for purposes other than those for which they are harvested; it could be sold indiscriminately, organisations could use these data to monitor the data Subjects unreliably without their consent to maximise profit or gain an undue advantage; and where this right cannot be protected, data Subjects will ultimately be wary of participating in the digital economy. 

To put this into perspective, when an individual interacts with the digital economy, he subjects a part of himself to the data harvester; usually, he is unaware as to the extent to which his data can be compromised; this is why the law is expected to be in place to bridge this and protect the data Subject.

In 2019, the government of the United States of America indicted global digital company, Facebook, for the breach of its users’ data for clandestine purposes but could have put the country’s security in jeopardy. With a framework in place, the government was able to leverage this to the benefit of Americans.

Also, there was an indictment describing Russian activities during the United States of America’s 2016 presidential campaign, it was alleged that Russian operatives relied on stolen identities of Americans to influence the elections.

It cannot be overemphasised that without an adequate framework to protect citizens, international and local corporations will take advantage of this lapse and abuse the latent rights knowing full well that there will be no stringent repercussions from the government. These lapses will pose a huge threat to the national security of the country in this respect.

Furthermore, when data is used for atrocities such as cyber and identity theft; the consequences of these often lead to activities which impair the image of the country, impoverish the citizens and ultimately damage the economy.


It is a step in the right direction for Nigeria to protect its citizens’ data through the establishment of a legal framework; however, above all, the most important venture for the Nigerian government is to thoroughly enforce this law to maximise its full potential. The government should properly educate the citizenry on this concept to ensure that the recipients of this law join in the protection.



[1] Nigeria’s Digital Economy to Generate $88b by 2021 Nigerian Investment Promotion Commission,

[2] Section 38 of Cybercrimes (Prohibition, Prevention ETC) ACT 2015.

[3] Section 8 of The Child Right Act.

[4] Section 6( c )NITDA Act.

[5] The NITDA guidelines are the closest data protection guideline when compared to other jurisdiction, although the guidelines apply to the Federal, State and Local government agencies and institutions as well as private sector organisations that own, use or deploy information systems of the Federal Republic of Nigeria; it also applies to organisations based outside or within Nigeria if such organisation process personal data of Nigerian residents and citizens.

Leave a Reply

Your email address will not be published. Required fields are marked *